Reputation: 19
x86 assembly: Explaining disassembled code
Can anyone explain me following asm code please? What it does?
I already commented it a bit out..
EDIT: C++, compiled with MS Visual C++ 2008 Express Eddition -> reassembled
.text:39552AF5 pop ecx
.text:39552AF6 push eax ; void *
.text:39552AF7 lea eax, [ebp+procedureVariable_C] ; get a proc variable from stack to eax?
.text:39552AFA call sub_39501565 ; call procedure with arguments: eax(void) and the lea result?
.text:39552AFF mov ecx, dword_395D0A44 ; dword_395D0A44("official") char gets moved into ecx
.text:39552B05 mov eax, ebx ; ?
.text:39552B07 call sub_39572981 ; ? no arguments?
.text:39501565 ; int __stdcall sub_39501565(void *)
.text:39501565 sub_39501565 proc near ; CODE XREF: sub_39501423+1Cp
.text:39501565 ; sub_39501803+1Cp ...
.text:39501565
.text:39501565 arg_0 = dword ptr 4
.text:39501565
.text:39501565 cmp [esp+arg_0], 0
.text:3950156A push edi
.text:3950156B mov edi, eax
.text:3950156D jnz short loc_39501573
.text:3950156F xor eax, eax
.text:39501571 jmp short loc_39501583
.text:39501573 ; ---------------------------------------------------------------------------
.text:39501573
.text:39501573 loc_39501573: ; CODE XREF: sub_39501565+8j
.text:39501573 mov eax, [esp+4+arg_0]
.text:39501577 lea edx, [eax+1]
.text:3950157A
.text:3950157A loc_3950157A: ; CODE XREF: sub_39501565+1Aj
.text:3950157A mov cl, [eax]
.text:3950157C inc eax
.text:3950157D test cl, cl
.text:3950157F jnz short loc_3950157A
.text:39501581 sub eax, edx
.text:39501583
.text:39501583 loc_39501583: ; CODE XREF: sub_39501565+Cj
.text:39501583 push eax ; int
.text:39501584 push [esp+8+arg_0] ; void *
.text:39501588 call sub_39501524
.text:3950158D mov eax, edi
.text:3950158F pop edi
.text:39501590 retn 4
.text:39501590 sub_39501565 endp
Upvotes: 1
Views: 837
Answers (3)
Reputation: 92211
This part
.text:39501573
.text:39501573 loc_39501573: ; CODE XREF: sub_39501565+8j
.text:39501573 mov eax, [esp+4+arg_0]
.text:39501577 lea edx, [eax+1]
.text:3950157A
.text:3950157A loc_3950157A: ; CODE XREF: sub_39501565+1Aj
.text:3950157A mov cl, [eax]
.text:3950157C inc eax
.text:3950157D test cl, cl
.text:3950157F jnz short loc_3950157A
.text:39501581 sub eax, edx
looks like it is scanning for a nul byte and computing end - start + 1, where start + 1comes from edx.
This is what strlen would do!
Is there some magic here?!
Upvotes: 1
Reputation: 24847
What do you want to know from SO that you don't already know? It's a couple function calls. The first passes a local parameter by reference in EAX, the second gets EAX as a parameter, perhaps a result from the first call, or perhaps just what was passed into this block in EBX.
We don't know what calling conventions are used, whether this assembler is disassembled compiler output or 'human' coding, no context, no clue to what the functions do or return. We're not exactly in a good position to help.
There is nothing unusual about this code. What's the problem?
Rgds, Martin
Upvotes: 0
Reputation: 108790
lea does not dereference anything. It just does arithmetic with the registers in its second parameter and stores the result in the first parameter.
lea eax, [ebp+procedureVariable_C];
Assuming that procedureVariable_C is a constant offset it adds that offset to calculate the pointer to the corresponding variable.
Upvotes: 0
Related Questions
- Binary bomb- phase 6
- Reverse engineered code seems to have no point
- How to convert ASM to read-able code?
- x86 asm disassembler library
- x86 OpCode Instruction Decoding
- Reverse Engineer Assembly
- Need help in identifying assembly code
- reverse engineering c programs
- Translating assembly to pseudocode
- x86 assembly code